- Fix rst syntax error
- Add pkg-config to list of brew packages to
install. While here, order them alphabetically.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Doing first -Werror builds on Linux against OpenSSL 3.0.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit ab55c9fdb2)
Hardcode libdir to lib, because openssl3 chooses
lib64 otherwise.
While here, some small changes:
- remove dangerous "|| true" after openssl make
- remove "-j1" for openssl "make install". Speeds
up the documentation generation.
- use set -x
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit f27157e28b)
OpenSSL has changed tags naming to
something like openssl-3.0.2, so adapt
our script accordingly.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
(cherry picked from commit 296abfca32)
Since we didn't have any regular builds against
OpenSSL 3.0 so far we didn't notice that it was
broken by commit 291e675748
(Move SSL context from OpenSSL Context to OpenSSL Config)
Since context is now part of config, we need to use
separate configs.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 6715afd4c7)
Some netlink messages are sent as multicast by the kernel and will reach
all listening userspace processes. For this reason, the receiving
handler should discard non-interesting messages to avoid messing up the
local state.
Reported-by: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Swig library build uses Python library which has the the same arch
as build machine arch, which in our case is always x64.
Building for other archs causes machine type conflicts.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When building swig library, pyconfig.h is
included which, before version 3.10, defines ssize_t:
/* Define like size_t, omitting the "unsigned" */
#ifdef MS_WIN64
typedef __int64 ssize_t;
#else
typedef _W64 int ssize_t;
#endif
#define HAVE_SSIZE_T 1
which causes redefinition error. Take this into account
and add additional ifdef guard.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit 9ad98bae8f ("Add building ovpncli swig library to cmake build")
added GCC-specific compiler flags which are unknown on Windows.
Remove those flags from Windows build.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Some Windows header defines an macro ERROR which then
leads to build errors:
...\ovpn3-build\ovpn3\common\tlshttps\tlshttpsclient.cpp(167,28):
error C2589: "constant": Invalid token on the right side of "::"
[...\ovpn3\common\tlshttps\tlshttpsclient.vcxproj]
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
We saw problems with this on our RHEL7 builds because
we upgraded gcc but not swig. Work-around the issue
for now until we can require SWIG 4.0.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
CID 10990 (#2 of 2): Using a moved object (USE_AFTER_MOVE)
2. use_after_move: rng_arg is used after it has been already moved.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Original source is only available via web archive.
This code should be replaced anyway since the license
is dubious regarding modification.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Closest I could identify so far. The fact that it is in
CVS and has no useful tags doesn't make it better.
Probably we can improve upon this.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
While the link is probably fine for most people
it is not strictly enough to fulfill the license
terms. Since this code is very limited in scope
I decided to add the txt file not in top directory
but rather near the files where it matters.
Add PURL to document where the source came from.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
As per ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
the 3rd clause was removed 1999. So remove it here.
This removes also any potential GPL conflicts.
Renumber 4th clause to 3 as all the BSDs seem to have
done so.
While here, add SPDX-License-Identifier
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Introduced in commit
1b5d913503
CID 11054 (#1 of 1): Missing break in switch (MISSING_BREAK)
unterminated_case: The case for value 71 is not terminated
by a break statement
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
CID 11125 (#1 of 1): Uninitialized scalar variable (UNINIT)
8. uninit_use_in_call: Using uninitialized value
config_templ.enableNonPreferredDCAlgorithms when calling Config.
flood.cpp:1320
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Remove the vars-osx64 and vars-iossim files which are no longer used.
The IOS simulator does not support the VPN API and builds for the
IOS simulator have not been done in a very long time nor are they
particular useful.
Also switch to pkg-config for jsoncpp by default.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
As a first step towards DNS configuration in openvpn and a unified way
to push DNS related settings to clients in v2 and v3, this commit adds
support for parsing the new --dns option. Later commits will add support
for setting up DNS on different platforms.
For now, --dns and DNS related --dhcp-option can be used together for
smoother transition. Settings from --dns will override ones --dhcp-option
where applicable.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Most of these haven't been used in years and are
probably useless now. If required they can always
be recovered from the git history.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This fixes an issue introduced in the previous commit:
Implement TLS Keying Material Export data key derivation
init_data_channel() is not supposed to run until the
KeyContext state reaches ACTIVE. This fix will cause
init_data_channel() to return without side effects when
data_channel_key is undefined, as it should be before
the KeyContext state reaches ACTIVE.
Signed-off-by: James Yonan <james@openvpn.net>
OpenSSLContext::SSL::export_keying_material() will now
return an error status (false) if SSL_get_session(ssl)
returns null.
Signed-off-by: James Yonan <james@openvpn.net>
Previously, ssl_up_stack() in httpcommon.hpp would
loop indefinitely until ssl_sess->read_cleartext_ready()
returned false, or halt is set. read_cleartext_ready()
will return true as long as the SSL_pending() function in
OpenSSL returns non-zero. But recent experience as well
as updates to the SSL_pending() man page suggest that
SSL_pending() may return non-zero even though no data is
actually readable from the object. In this case,
the previous code would enter an infinite loop.
The fix is to break out of the ssl_up_stack() loop when
ssl_sess->read_cleartext() returns zero size, rather
than solely relying on the return value of SSL_pending().
Signed-off-by: James Yonan <james@openvpn.net>
from the man page:
The vfork system call can be used to create new processes. As of macOS
12.0, this system call behaves identically to the fork(2) system call,
except without calling any handlers registered with pthread_atfork(2).
This system call is deprecated. In a future release, it may begin to return
errors in all cases, or may be removed entirely. It is extremely strongly
recommended to replace all uses with fork(2) or, ideally, posix_spawn(3).